Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Cloud Forensics & Incident Response

Tushar Verma
February 02, 2023

AWS Cloud Forensics & Incident Response

Tushar Verma

February 02, 2023
Tweet

More Decks by Tushar Verma

Other Decks in Technology

Transcript

  1. Design Goals of Cloud Response Establish response objectives 01 Respond

    using the cloud 02 Know what you have and what you need 03 Use redeployment mechanisms 04 Automate where possible 05 Choose scalable solutions 06 Learn and improve your process 07
  2. Aws cloudtrail Log/Identify all API actions performed within an account

    • Who performed it(Principal type, Source IP/Service, User Agent) • When it occurred(Date/Time) • Where it occurred(Region) • What occurred(API action performed) • Which resource(s) were affected(with configuration/parameter info) • Result(s) of action(success/error with associated result info
  3. Amazon CLoudwatch Log target/ aggregation point for monitoring/querying/alerting on various

    logs: • Instance(System) Performance Metrics • OS/Application Logs • AWS Service Logs(Cloudtrail, GuardDuty, Security Hub • VPC flow logs
  4. AWS Config • Logs resource configurations(changes) over time • Can

    also record instance OS/Software Configuration changes and updates • Leverage these logs to discover, map, track(and alert on) AWS resource relationships and changes in your account
  5. VPC Flow Logs Netflow(ish) type network flow logs Collects and

    delivers network flow log record in aggression intervals
  6. Preparation PEOPLE -Train security operations staff on AWS Process -Develop

    an incident response plan & strategy -Run drills & automate simulations where possible Technology -Build AWS accounts for security operations and log archive -Create read only and break glass roles for access to AWS accounts
  7. Detection & Analysis DETECTION -Setup CloudTrail organisation trail -Enable amazon

    GuardDuty and aws security hub with security operations account as delegated admin -Monitor the GuardDuty & Security Hub findings ANALYSIS -Query CloudTrail logs with aws athena(or with your SIEM) -Leverage aws detective for investigations and triaging findings
  8. Containment, Eradication & recovery CONTAINMENT -Disable/rotate IAM credentials -EC2 isolation

    through security groups and NACLs -System backup through snapshots Eradication -Leverage AWS Systems Manager to patch systems and run commands Recovery -Provision new infrastructure or modify NACLs/SGs back to original state Note: These are just an example
  9. Post incident DOCUMENTATION -Complete answers to who, what, where, why,

    and How LESSONS LEARNED -Review IR processes and effectiveness with stakeholder
  10. What is Cloud Forensics • Cloud Forensics can be defined

    as the application of computer forensics principles and procedures in a cloud computing environment.
  11. Significant Log Sources Cloudtrail Cloudtrail Insights Cloudwatch Logs GuardDuty VPC

    Flow Logs S3 Server Access Route53 Load Balancer Logs
  12. Isolation…… Create a separate forensic VPC for compromised resources. This

    forensic VPC should not be connected to any other VPCs. Enable a logging mechanism, such as VPC flow logs Create Quarantine and Forensic Security Groups Create specific IAM roles with read-only access to resources Create a snapshot of the EC2 instance Store all log data to a separate S3 bucket with S3 Object Lock and MFA delete Take a memory dump of the instance
  13. Cloud forensics challenges • Accessibility of logs • Physical inaccessibility

    • Volatility of data • Identification of evidence at client side • Dependence of CSP trust